Single Item Restore with Exchange

Last week my blog was centred around single file recovery within VMWare so it's only fair and proper that we cover the same for Exchange. The process is almost identical to the one described last week, we use long-term retention snapshots as the point-in-time backup, clone the relevant volumes and then mount them to a recovery server to perform the single item restore. However with Exchange there are a few more options with regards to the third party software that you can use. In no order (other than alphabetical), the tools I am aware of are: Kroll ONTrack Exchange Recovery, Lepide's Exchange Recovery Manager and Veeam's Exchange Recovery Tool. All excellent tools (I'm sure there are others) and all work on the same premise of pointing them to a Nimble backed snapshot EDB file and then perform the single object restore, either back to a PST or to a Live Exchange Server.

The real value of this is very fast and efficient restores of what normally is a lot of operational effort, which typically compromises of:

- Restore the data from a backup using a traditional method

- Build a Recovery Group in Exchange

- Perform the object restore

- Clean up the environment

or simply telling the user 'if it's out of their deleted items cache then tough luck !'

Here's how it's done...

For this demonstration I am going to use Kroll ONTrack but the steps are almost identical for the other two software products mentioned above.

First I will log into my Exchange Server and delete 'A really important' email, to give us something to restore:

Next we will login to the Nimble Web GUI and navigate to the Volume Collection for the Exchange Server. A volume collection is exactly as it sounds, it's a group of volumes that are going to snapshotted together for consistency.

Within the Exchange Volume Collection you will see my Exchange data volume and Exchange logs volume:

The screenshot above shows the two volumes (data and log) in the volume collection, the Production Exchange server that we are integrating the VSS snapshot with, the frequency, schedule and retention of the backups. Clicking on the Snapshots tab will show you all the available snapshots for restore:

Select the snapshot, you wish to restore from and then click Clone.

Note: This will automatically clone both the data and logs volume, so we have to provide the volume names of the new clones: TIP: It's good to use a consistent naming standard here so you identify them as clones and also associate them to the Exchange data and logs volume.

Clicking OK will immediately create a clone for both volumes. These can be viewed on the Volumes page:

As you can see neither clone is taking any space (it's just a copy of pointers).

TIP: It's likely that we want to make these accessible to a different server other than the Production Exchange server; As the ONTrack software can be run from anywhere and we can present the clones to any host with an iSCSI initiator, we may as well divorce the restore process from the production Exchange servers. In order to do this we have to Edit the volumes and make sure they are mapped to the host where the Exchange Single Item Restore will be performed from. For each volume you can click on the link to show more details of the volume:

and then remap to the required host by clicking Edit, clicking on the Access tab, removing the existing Production Exchange server and adding the required restore host.

Click OK and then confirm that the volume is mapped to the correct host (win7 in my case)

This will need to be competed for both the Data Clone volume and the Log Clone volume.

Next we login to the server where the Single File Restore software is installed and map the two drives. First using the Microsoft iSCSI Software Initiator to connect the volumes:

and then using Disk Manager to bring the volumes Online:

and mount them to a drive letter (G: Data & H: Logs, in my case) or an existing mount point:

TIP: Mount points are actually better than Drive letters as your not limited to 23-25 locations and there is no issue cleaning them up (Windows has a tendency to gobble drive letters requiring a reboot to reclaim them).

If you want to you can browse the filesystems and navigate to the EDB file:

In the interests of the readers understanding, I've so far walked through all the steps but all the above can be readily automated by providing a Powershell script to Clone and Mount the volumes to bring us to this stage. Which not only speeds up the process but also makes it more consistent (naming standards, locations for mounting the drive etc). You can view that here: Powershell to automate volume, snapshot, clone and mount.

In order to perform the single item restore you need to startup the Kroll Exchange Recovery software. Once loaded it will ask you the Source location of your EDB file (G:) and any Exchange logs that you'd like to process (H:):

The wizard will then ask your for your Destination; This could be a PST file or the Active Exchange Server. In this example we will drop the items directly back into the Live Exchange Server Mailbox so I need to provide the appropriate credentials:

Exchange Recovery will then connect to both the Source and Destination and present both in the window below (The top window being the Source, the snapshot; The bottom window being the Destination, the Active Mailbox):

Finally, all your left to do is to simply drag the item that you wish to restore from the source (My Important Email in the above) and simply drag it to the place on the destination to where you wish to restore the object (back to the Inbox in my example). The object will then be copied (in a matter of seconds):

and that's all there is to it... The email can be seen to be back from the GUI:

or by looking back on the Client:

Note: You can restore any object (Email, Contact, Calendar item).

You can also leverage the search functionality to search the mounted EDB file for text in the email subject, header, body, even attachments and it will return all items matching the criteria either in the selected mailbox or the entire database. Great for compliance type searches and a very powerful feature, particularly given a compliance search may require investigating multiple backups/points in time and the traditional method of provision space/restore/search/repeat can take hours per search. Nimble cloning allows this operation to be completed in minutes per backup. Below is a screen shot highlighting the search button.

Finally all there is left to do to clean up is, close the application; If you used a drive letter rather than a mount point, unmount the drives (so Windows returns the drive letter back to the pool):

and finally log in to the Nimble Storage GUI and offline the two Clonevolumes and then delete the clones:

TIP: Delete the clones and not the primary volumes

Again for those wishing to see this in action there is a demo available here